Prominent Security Researchers, Academics, and Lawyers Demand Congress Reform the CFAA and Support Aaron's Law

EFF is at Black Hat and DEF CON this week, two conferences that draw a wide variety of people from tech including security researchers, coders, engineers, and everyday users. This year, EFF is pushing its campaign around making common sense changes to the Computer Fraud and Abuse Act—including a phone booth called the CFAA DC Dialer that allows DEF CON attendees to call their Representative.

Alex Stamos, Nico Sell, and EFF are also publishing a letter from security researchers and members of the DEF CON community calling on Congress to reform the CFAA and to support Aaron's Law, a bipartisan bill sponsored by Representatives Zoe Lofgren and Jim Sensenbrenner and Senator Ron Wyden. The letter includes prominent lawyers, professors, security researchers, and members of the tech community including Jeff Moss, Ed Felten, Alex Stamos, Stefan Savage, Cory Doctorow, Nico Sell, and Avi Rubin.

The letter calls on Congress to pass Aaron's Law, noting:

While seldom heralded publicly, security researchers in academia, industry, public service, and independent practice work to identify serious security shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research and investigation is especially urgent as we find ourselves integrating computers into our homes, vehicles—even our bodies. The security research community stands ready to meet that technical challenge, but we need Congress to clear legal hurdles out of our way.

The CFAA is long overdue for reform. And Aaron's Law makes commons sense changes already confirmed by court decisions in both the Ninth and Fourth Circuits. Now is the time for Congress to act. Join us, by telling your Representative now to reform the CFAA. If you'd like to sign the letter, please email info@eff.org with the subject header "DEF CON CFAA Letter." The full letter can be found here or you can read it below.

Dear Congress and members of the Senate and House Committees on the Judiciary,

We are computer security experts who have dedicated our careers to maintaining the safety and integrity of information technology systems in the service of consumers, businesses, and governments worldwide. We are also coders, developers, engineers, explorers, and users of digital technologies who care deeply about protecting those who engage in computer security research and science. We write to urge you to support HR 2454: “Aaron’s law.” It's a new bipartisan bill by Representatives Zoe Lofgren and Jim Sensenbrenner and Senator Ron Wyden’s aimed at reforming the Computer Fraud and Abuse Act (“CFAA”), 18 USC § 1030. The bill seeks to ensure that this work will continue to both help Americans be more secure and to ensure that American companies build better products.

While seldom heralded publicly, security researchers in academia, industry, public service, and independent practice work to identify serious security shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research and investigation is especially urgent as we find ourselves integrating computers into our homes, vehicles—even our bodies. The security research community stands ready to meet that technical challenge, but we need Congress to clear legal hurdles out of our way.

We recognize that there are bad actors in the world; individuals, groups, corporations, and nations that wish to use technology to manipulate, lie, cheat, and steal. We have no desire to eliminate the ability for real crimes to be investigated and criminals judged with due process. Yet while the CFAA has a core purpose of criminalizing harmful computer intrusions that we strongly support, the law has lost its way. It now poses an increasing threat to security research. In short, applied computer security research requires experimenting with computer systems. The CFAA, due to outdated wording, makes it unlawful to access a computer system “without authorization” or “in excess of authorization.” This vague wording, while not misused in the early days of the statute, has recently allowed the Department of Justice and companies litigating under the civil enforcement provision of the law to push an expansive definition that, if applied, would make much of the best work in computer security research a serious federal crime, along with criminalizing ordinary behavior like violating terms of service.

For decades now, independent security research involving computer systems has slowly pushed the world’s technology providers to build more trustworthy products. Some examples:

ELECTRONIC VOTING: A number of computer scientists, including Princeton professor and former FTC Chief Technologist Ed Felten and Johns Hopkins University professor Avi Rubin, have tested the security of electronic voting systems, again generally without authorization, and discovered critical flaws that would make it possible for wrongdoers to rig elections and for votes to be lost through malfunctions and misconfigurations. This research led many jurisdictions across the country to abandon paperless voting machines and begin to put real auditing processes into place. It also initiated a national dialogue and created an informed open debate about how and when digital technologies and networked machines should be used in voting.

SAFE DRIVING: Computer scientists, including professor Stefan Savage at the University of California San Diego, are documenting security vulnerabilities in computer systems in cars, like tampering with the cars’ brakes. These flaws could make it possible for malicious hackers to interfere with car systems in a way that would make the vehicle less safe to drive. Without the work of these researchers, the public wouldn’t know about these flaws, and car manufacturers wouldn’t have critical feedback on how to build more secure computer systems for cars.

CONSUMER PRIVACY: Computer scientists are studying how advertisers and other companies track consumers’ activities online and report web browsing details back to entities interested in knowing such information. This information helps inform the citizenry about the sometimes hidden business models behind many new technologies, including social networks and other online services. It has also spurred actions by the FTC and state legislatures to try to build useful tools and rules for these tracking activities.

PUBLIC HEALTH: Several academic and independent security researchers, including computer science professor Tadayoshi Kohno at the University of Washington, have revealed security flaws in medical devices like insulin pumps and pacemakers that put the privacy and physical safety of patients at risk. As a result of this important research, done largely without the authorization of the medical devicemakers who were initially resistant, the Government Accountability Office has now recommended that the FDA devise a plan to keep tabs on the security risks of implantable medical devices.

As you know, the very purpose of federal computer crime law is to promote computer security by punishing those who break into computers and cause harm. Yet paradoxically, the CFAA currently threatens and chills valuable research in the field by reaching mere violations of terms of use and other acts, such as security research, which cause no real harm and indeed make the public safer. Many of our colleagues, and many of us, have directly experienced the chilling effects of the CFAA. Actual litigation or prosecution of security researchers is, to be sure, quite rare. But that’s because the mere risk of litigation or a federal prosecution is frequently sufficient to induce a researcher (or their educational or other institution) to abandon or change a useful project. Some of us have jettisoned work due to legal threats or fears.

HR 2454, the bipartisan CFAA reform bill called Aaron’s Law, includes a provision that would eliminate the possibility that terms of service violations or other contractual “duty” can constitute an offense. The bill also adjusts the CFAA penalty scheme to ensure that actions that do no harm are not heavily penalized. This bill is an important first step in protecting the work of security researchers, as well as the general public, and we stand ready to assist as the legislative process progresses. We urge you to support this bill, to take immediate action and help to reform the CFAA so that the future vitality of responsible computer security research, and all of us who are protected by it, is ensured.

Related Updates

Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the...

When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

On January 18, 2012, the Internet went dark. Hundreds of websites went black in protest of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). The bills would have created a “blacklist” of censored websites based on accusations of copyright infringement. SOPA was en route to quietly...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

Laws enacted out of fear, not facts, are a recipe for disaster. That’s what happened with the Computer Fraud and Abuse Act (CFAA)—the federal statute that makes it illegal to break into computer systems to access or alter information. The law’s notoriously vague language has confused courts, chilled...

This weekend you have the chance to add to Aaron Swartz’s legacy by boosting tools for whistleblowers. The 2016 Aaron Swartz International Hackathon—held in honor of the late Internet and political activist—will take place during the day Saturday and Sunday at the Internet Archive in San Francisco. The hackathon...

The Internet has been on fire in recent months over two court decisions that threaten to criminalize password sharing. The law at the heart of the cases is the Computer Fraud and Abuse Act (CFAA), a 1986 statute meant to outlaw computer break-ins. Congress passed the CFAA after...

Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don’t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like ...